The Linux Administration group is for the discussion of technical issues technical issues that arise during the administration of Linux systems, including maintaining the operating system and supporting end-user applications.

In the authorized_keys file (on the remote system) you can prepend each line with no-pty which will only allow remote execution of ssh commands but not allow actual login to the remote system. The problem with it is, that it's easily defeated. But that's what logging is for, so you can monitor such activity.

The problem is you can easily modify it with the following:
# ssh remote-system "perl -pi -e 's/^no-pty //g' /.ssh/authorized_keys"

Once the above is executed you're back to a system where you can get a pty. There are better ways to secure ssh, but this would probably keep the auditors happy. Having a way to rotate your keys on a regular basis seems to make them happier too.

As a completely out of the box alternative, you could just get the root user to download and execute a script from a known location on a remote server using a cron job. The script is blank until you want it to contain some instructions, at which point it executes them.

Obviously there are some security issues with this, but it might help you at as an alternative method.

You can run remote commands as root with
"PermitRootLogin no" set in sshd by using sudo.
Configure sudo to allow a userid of your choice
to be able to perform any command as root
without requiring you to enter any password.
For example let's say you have configured sudo
to allow the rootie userid to run alll root commands
on the target machine without requiring a password.
Login to rootie on your source server and then you
will be able to run any command as root in the
following way:
ssh target sudo command